More than HK$9.6 million held in company bank accounts was targeted in a sophisticated e-mail scam that tricked 13 people into revealing the code generated by personal security devices banks issue for customers to conduct transactions online, police say.
The e-mails contained malware disguised as an attachment that steered the victims to websites that looked like banks' actual sites, where the customers then typed in their security code and log-in details.
Anthony Cheng Hung, chief inspector with the police's technology crime division, said three mainlanders, aged 49 to 52, were arrested last month over an unsuccessful attempt to transfer HK$1.9 million from victims' accounts. They are scheduled to appear in Eastern Court on May 20.
"There is a lot of malware in this world, and it is getting more and more advanced. So we need to improve people's security awareness," Cheng said.
The latest cases, which occurred across the first four months of the year, mark a sharp increase over the five cases recorded last year.
Although HK$9.66 million was involved, only HK$2.8 million was successfully transferred to overseas accounts, some in Britain, the United States, the Czech Republic and the mainland, police said. Other transactions were interrupted when victims' discovered what was happening before the process ended.
Fraudsters sent out e-mails - purporting to come from the victims' actual bank - along with a zip file attachment. Opening the attachment allowed for malware to be inserted into their computers. When the victims tried to open the website of the actual bank, the programme steered them to a similar but fake one.
It prompted them to type in their e-banking log-in name, password and the code generated by the security device.
The programme would slow and halt the computer's operation, giving the impression that it was processing the transaction, Cheng said.
At the same time, the fraudsters were transferring money out of victims' accounts.
Cheng said users discovered they were being tricked when they received text messages from the actual banks notifying them about the transactions. They called the banks to halt the transactions but not every one was successful.
He refused to disclose which banks were involved, only saying it involved more than one. He stressed the banks' security measures were not at fault. Police are tracing the source of the e-mails, and have yet to determine whether any syndicate was behind it.
Police warned people to beware of suspicious e-mails and attachments, to update their anti-virus software and switch off their computers and call the bank if their online e-banking activities stalled suspiciously.
Bank of China (Hong Kong) said its customers had received suspicious e-mails, but they had not logged on into the fake websites so they suffered no loss.
HSBC said that it did not have any record of incidents of fraud where their security token had been used correctly.
The Monetary Authority said that since January it had received reports from three banks, saying there had been 34 victims, involving HK$3.3 million in losses.